pileform
ΕλληνικάStart free
Security

Data security.

How we keep the receipts and workbook data you upload safe from accidental disclosure, unauthorised access, and infrastructure failure. Plain English. No security theatre.

Last updated: 29 April 2026

1. Encryption

  • In transit: TLS 1.3 only. Older protocols (TLS 1.0, 1.1, SSLv3) and weak cipher suites are disabled at the edge. HSTS preloaded.
  • At rest: AES-256 encryption on all stored files (receipts, generated workbooks) and database rows. Encryption keys are managed by our infrastructure providers and rotated on their schedules.
  • Backups: backup data is encrypted with the same standards as primary storage. Archival snapshots follow the configured retention policy (default 10 years; range 6–30 years per country preset).

2. Authentication

  • Passwords: hashed with Argon2id (or bcrypt as fallback) before storage. We never see your plaintext password. Password length minimum 12 characters; common-password rejection.
  • Sessions: HTTP-only, Secure, SameSite=Lax cookies signed with HMAC. Sessions expire on inactivity; no permanent “remember me” cookies.
  • Sign-in protection: rate-limited per IP and per account. Repeated failures trigger progressive lockout (60s → 5min → 30min). Suspicious sessions are auto-revoked.
  • Email verification: required before login. Email-change attempts trigger a verification flow on the new address.
  • OAuth: Google sign-in supported. We never request more than the email + name + profile picture scopes.

3. Account isolation

Every database row that touches user data carries a foreign key to the owning account. API queries filter by account ID at the SQL level, not just at the application layer, so a programming bug that forgot the access check still wouldn’t leak data across accounts.

Object storage uses per-account key prefixes (e.g. capture-results/{account-id}/{job-id}.zip) and the request path is validated against the authenticated session before the file is signed for download. Direct R2 URLs aren’t exposed.

4. Network & infrastructure

  • Edge: an enterprise edge/CDN sits in front of all production traffic. WAF rules block known attack patterns (SQLi, path traversal, common bot signatures).
  • DDoS: an anycast edge network absorbs volumetric attacks before they reach our origin.
  • Origin: the receipt-processing server runs on dedicated EU infrastructure with private networking; only the signed Worker HMAC callback can reach the internal job-completion endpoint.
  • DNS: managed with DNSSEC enabled.

5. Logging & monitoring

  • Audit log: sign-ins, password changes, email changes, account deletions, and capture jobs are logged with timestamp, IP, and user agent. You can request a copy of your audit log via the GDPR data-export endpoint.
  • Error monitoring: server-side errors are captured (Sentry); customer payload data is scrubbed from error reports before transmission.
  • Retention: 90 days for sign-in fingerprint logs; capture job records follow your configured retention policy (default 10 years; range 6–30 years per country preset) unless you request earlier deletion.

6. Breach response

If we detect or are notified of a security breach affecting your data, we’ll notify you within 72 hours per GDPR Article 33. The notification will include:

  • What happened: root cause as far as we know it
  • What data was affected: specific scope, not vague generalities
  • What we’ve done: immediate containment and remediation
  • What you should do: concrete steps (rotate password, monitor for misuse, notify your client if applicable)

We’ll also report to the Cyprus Data Protection Commissioner where required. Post-mortem is published if the breach affected more than a handful of accounts.

7. Vulnerability disclosure

If you discover a security issue, we want to hear about it before it becomes a breach. Email security@pileform.com with the details. We’ll respond within 2 business days, fix critical issues within 7 days, and credit the reporter publicly (with permission) once the issue is resolved.

Safe-harbour: good-faith security research doesn’t result in legal action from us. Don’t access other accounts’ data, don’t disrupt service, don’t demand payment as a condition of disclosure, and don’t publish the issue before we’ve had a chance to fix it.

8. Compliance

  • GDPR: compliant. Our Data Processing Agreement is published in full, no email required.
  • Tax-record retention: default 10 years system-wide, configurable 6–30 years per country preset (Cyprus / UK / Ireland / Malta / Spain / Greece 6 years, Netherlands 7, Germany / France / Italy / Lebanon 10) to satisfy the strictest applicable tax statute. Settings → Data & exports.
  • Sub-processor changes: notified to active customers 30 days before taking effect, per Article 28.
  • SOC 2 / ISO 27001: we follow the same control families internally. We are not currently certified.

9. What you control

  • Password rotation: available from your account page at any time.
  • Session revocation: sign out remotely revokes the session cookie; recently-changed-password automatically invalidates other sessions.
  • Data deletion: you can request immediate deletion of any individual capture job, or full account deletion. We honour both within 30 days unless legally required to retain (e.g. active tax audit).
  • Data export: GDPR portability endpoint returns a JSON dump of everything we hold about your account. No fee, no questions.

Questions? contact@pileform.com. Security issues? security@pileform.com.